509322

"All of the components in the operating system are found in the WinSxS folder – in fact we call this location the component store. Each component has a unique name that includes the version, language, and processor architecture that it was built for. The WinSxS folder is the only location that the component is found on the system, all other instances of the files that you see on the system are “projected” by hard linking from the component store. Let me repeat that last point – there is only one instance (or full data copy) of each version of each file in the OS, and that instance is located in the WinSxS folder. So looked at from that perspective, the WinSxS folder is really the entirety of the whole OS, referred to as a "flat" in down-level operating systems. This also accounts for why you will no longer be prompted for media when running operations such as System File Checker (SFC), or when installing additional features and roles."

Level 82

"All of the components in the operating system are found in the WinSxS folder – in fact we call this location the component store. Each component has a unique name that includes the version, language, and processor architecture that it was built for. The WinSxS folder is the only location that the component is found on the system, all other instances of the files that you see on the system are “projected” by hard linking from the component store. Let me repeat that last point – there is only one instance (or full data copy) of each version of each file in the OS, and that instance is located in the WinSxS folder. So looked at from that perspective, the WinSxS folder is really the entirety of the whole OS, referred to as a "flat" in down-level operating systems. This also accounts for why you will no longer be prompted for media when running operations such as System File Checker (SFC), or when installing additional features and roles."

I might have misinterpreted the question so apologies for that. How do you define 'abuse'? For example
you can create a powershell script that uses the IFileOperation COM to create a folder with a malicious dll and then bypas UAC using winSxS pointing to that dll. Does that count ?

509322

I might have misinterpreted the question so apologies for that. How do you define 'abuse'? For example
you can create a powershell script that uses the IFileOperation COM to create a folder with a malicious dll and then bypas UAC using winSxS pointing to that dll. Does that count ?

Level 82

let's assume for the moment that it is theoretically possible to abuse powershell in WinSxS.

The more relevant question (to me at least) is how current malware goes looking for powershell. Is it rigidly coded to find powershell in the standard locations, and will not find it hidden deep within WinSxS? Or maybe it is smart enough to search for it wherever it might be?

5

509322

let's assume for the moment that it is theoretically possible to abuse powershell in WinSxS.

The more relevant question (to me at least) is how current malware goes looking for powershell. Is it rigidly coded to find powershell in the standard locations, and will not find it hidden deep within WinSxS? Or maybe it is smart enough to search for it wherever it might be?

With this information, I decided to create the registry structure needed for “eventvwr.exe” to successfully query the HKCU location instead of the HKCR location. Since the (Default) value located in HKCR\mscfile\shell\open\command contained an executable, I decided to simply replace the executable with powershell.exe:

When starting “eventvwr.exe”, I noticed that is successfully queried/opened HKCU\Software\Classes\mscfile\shell\open\command:

This action effectively replaced the expected “mmc.exe” value with our new value: “powershell.exe”. As the process continued, I observed that it ended up starting “powershell.exe” instead of “mmc.exe”:

Level 4

let's assume for the moment that it is theoretically possible to abuse powershell in WinSxS.

The more relevant question (to me at least) is how current malware goes looking for powershell. Is it rigidly coded to find powershell in the standard locations, and will not find it hidden deep within WinSxS? Or maybe it is smart enough to search for it wherever it might be?

There are few ways they can do this. Going back to my previous post,this can be seen more commonly on office macros. The macro would invoke the WMI service to spawn a hidden instance of powershell with specific arguments to bypass execution policy ,be hidden etc

Level 82

There are few ways they can do this. Going back to my previous post,this can be seen more commonly on office macros. The macro would invoke the WMI service to spawn a hidden instance of powershell with specific arguments to bypass execution policy ,be hidden etc

We use cookies to improve your browsing experience on our site, show personalized content and targeted ads, analyze site traffic, and understand where our audience is coming from.
By continuing to use this site, you are consenting to our use of cookies.